Email Encryption: HIPAA Considerations for Lawyers and CPAs
February 17, 2015
Currently, neither the NC State Bar nor the NC State Board of CPA Examiners specifically requires encrypted email, although licensees must take reasonable measures to ensure any client information maintained and transmitted is confidential and secure. On the other hand, the Health Insurance Portability and Accountability Act of 1996 [“HIPAA”] may require both lawyers and CPAs, under certain circumstances, to encrypt when acting as a “business associate” to a “covered entity.”
Could you be a “business associate” under HIPAA?
When HIPAA was first enacted, only covered entities, such as health care providers and health plans, were required to take steps to secure and prevent the unauthorized disclosure of certain types of individually identifiable protected health information [“PHI”] of their patients or members. The HIPAA privacy and security rules now apply not only to covered entities but also to their business associates. Further, with the new rules firmly in place, the U.S. Department of Health and Human Services is expected to become more aggressive in enforcing HIPAA. Given that lawyers and CPAs, who violate the rules while providing services to covered entities, may be subject to penalties of $100 to over $50,000 per violation, it is worthwhile to consider whether you are classified as a “business associate” under HIPAA.
HIPAA defines a business associate as any entity that creates, receives, maintains, or transmits PHI while performing a function, activity, or service on behalf of a covered entity including the provision of legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services. So if you are performing legal or accounting services directly for, or on behalf of, a covered entity, such as a healthcare provider or healthcare plan, you are classified a business associate and, consequently, must meet the same standard of security for the protection of PHI as the covered entity.
HIPAA Encryption Requirement
The good news is that HIPAA does not necessarily require the use of email/fax encryption by covered entities and business associates. The security rule made the use of encryption for PHI an “addressable” implementation specification as opposed to a “required” specification. Therefore, before a covered entity or business associate can decide not to encrypt electronic transmissions of PHI, the entity must engage in a feasibility analysis. The analysis would consider the:
- Size, complexity and capabilities;
- Technical infrastructure, hardware and software security capabilities;
- Costs of security measures; and
- Probability and criticality of potential risks to electronic PHI.
Under the feasibility analysis, “[i]f the entity decides that the addressable implementation specification is “not reasonable and appropriate”, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose not to execute the implementation specification or any equivalent alternative measure and document the rationale for this decision.” Thus, it is a violation of HIPAA to send unencrypted emails containing PHI while providing services to a covered entity without first having performed and documented the feasibility analysis.
As noted already, a single violation can carry a penalty as high as $50,000. On the other hand, encryption carries the benefit of qualifying for a “safe harbor” under HIPAA’s breach notification requirements. A security incident that would otherwise require notification is not considered a breach if the PHI affected was encrypted and the encryption key had not been compromised. 
In summary, if the lawyer or CPA is performing a service on behalf of a covered entity which involves creating, receiving, maintaining, or transmitting electronic PHI, s/he would likely be a business associate under HIPAA. Then, to determine if the covered entity and business associate should implement a mechanism to encrypt ePHI, the feasibility analysis discussed above should be conducted.
Other Potential Requirements for Business Associates
In addition to encryption considerations, under HIPAA, business associates may also need to:
(1) Execute Business Associate Agreements
Lawyers and CPAs may need to execute a business associate agreement with the covered entity. The agreement should comply with the specifications required by HIPAA. In addition, when the business associate must disclose PHI to a third party (i.e. expert witnesses, investigators, third party providers, etc.), s/he will need to execute a business associate agreement with the third party, to whom it provides PHI, which includes the same restrictions and conditions that originally applied to the business associate with respect to the information.
(2) Implement HIPAA Policies with Documented Procedures
Business associates should implement and document policies and procedures to prevent, detect, contain, and correct security violations relating to ePHI.
(3) Perform HIPAA Training for Staff and Yearly HIPAA Security Reviews
Everyone that falls under HIPAA must perform HIPAA training for staff and yearly security reviews of their internal systems, their policies, and the flow of their ePHI into and out of their network, among other things.
Note that the list above is not inclusive of all functions a lawyer or CPA, who is classified as a business associate, may need to perform to be compliant under HIPAA. It is highly advisable for any professional who handles PHI while providing a service to a covered entity to consult an attorney practicing in the area of health care regulation to ensure compliance with the complex and changing laws surrounding the privacy and security related to PHI.
THIS INFORMATION IS NOT INTENDED TO BE LEGAL ADVICE.
 See 45 C.F.R. § 160.103.
 78 Federal Register 5644.